{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-14576","assignerOrgId":"a59d8014-47c4-4630-ab43-e1b13cbe58e3","state":"PUBLISHED","assignerShortName":"TQtC","dateReserved":"2025-12-12T12:52:21.516Z","datePublished":"2026-04-30T12:39:40.067Z","dateUpdated":"2026-06-30T12:07:23.863Z"},"containers":{"cna":{"providerMetadata":{"orgId":"a59d8014-47c4-4630-ab43-e1b13cbe58e3","shortName":"TQtC","dateUpdated":"2026-04-30T12:51:40.517Z"},"title":"Possible QML code injection in VectorImage component","problemTypes":[{"descriptions":[{"lang":"en","cweId":"CWE-94","description":"CWE-94 Improper Control of Generation of Code ('Code Injection')","type":"CWE"}]},{"descriptions":[{"lang":"en","cweId":"CWE-20","description":"CWE-20 Improper Input Validation","type":"CWE"}]}],"impacts":[{"capecId":"CAPEC-242","descriptions":[{"lang":"en","value":"CAPEC-242 Code Injection"}]}],"affected":[{"vendor":"The Qt Company","product":"Qt","platforms":["Windows","MacOS","Linux","iOS","Android","x86","ARM","64 bit","32 bit"],"collectionURL":"https://www.qt.io/","packageName":"qtdeclarative","modules":["Qt Declarative (Qt Quick)","VectorImage Component"],"versions":[{"status":"affected","version":"6.8.0","lessThanOrEqual":"6.8.6","versionType":"python"},{"status":"affected","version":"6.10.0","lessThanOrEqual":"6.10.1","versionType":"python"}],"defaultStatus":"unaffected"}],"cpeApplicability":[{"operator":"OR","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:the_qt_company:qt:*:*:windows:*:*:*:*:*","versionStartIncluding":"6.8.0","versionEndIncluding":"6.8.6"},{"vulnerable":true,"criteria":"cpe:2.3:a:the_qt_company:qt:*:*:macos:*:*:*:*:*","versionStartIncluding":"6.8.0","versionEndIncluding":"6.8.6"},{"vulnerable":true,"criteria":"cpe:2.3:a:the_qt_company:qt:*:*:linux:*:*:*:*:*","versionStartIncluding":"6.8.0","versionEndIncluding":"6.8.6"},{"vulnerable":true,"criteria":"cpe:2.3:a:the_qt_company:qt:*:*:ios:*:*:*:*:*","versionStartIncluding":"6.8.0","versionEndIncluding":"6.8.6"},{"vulnerable":true,"criteria":"cpe:2.3:a:the_qt_company:qt:*:*:android:*:*:*:*:*","versionStartIncluding":"6.8.0","versionEndIncluding":"6.8.6"},{"vulnerable":true,"criteria":"cpe:2.3:a:the_qt_company:qt:*:*:x86:*:*:*:*:*","versionStartIncluding":"6.8.0","versionEndIncluding":"6.8.6"},{"vulnerable":true,"criteria":"cpe:2.3:a:the_qt_company:qt:*:*:arm:*:*:*:*:*","versionStartIncluding":"6.8.0","versionEndIncluding":"6.8.6"},{"vulnerable":true,"criteria":"cpe:2.3:a:the_qt_company:qt:*:*:64_bit:*:*:*:*:*","versionStartIncluding":"6.8.0","versionEndIncluding":"6.8.6"},{"vulnerable":true,"criteria":"cpe:2.3:a:the_qt_company:qt:*:*:32_bit:*:*:*:*:*","versionStartIncluding":"6.8.0","versionEndIncluding":"6.8.6"},{"vulnerable":true,"criteria":"cpe:2.3:a:the_qt_company:qt:*:*:windows:*:*:*:*:*","versionStartIncluding":"6.10.0","versionEndIncluding":"6.10.1"},{"vulnerable":true,"criteria":"cpe:2.3:a:the_qt_company:qt:*:*:macos:*:*:*:*:*","versionStartIncluding":"6.10.0","versionEndIncluding":"6.10.1"},{"vulnerable":true,"criteria":"cpe:2.3:a:the_qt_company:qt:*:*:linux:*:*:*:*:*","versionStartIncluding":"6.10.0","versionEndIncluding":"6.10.1"},{"vulnerable":true,"criteria":"cpe:2.3:a:the_qt_company:qt:*:*:ios:*:*:*:*:*","versionStartIncluding":"6.10.0","versionEndIncluding":"6.10.1"},{"vulnerable":true,"criteria":"cpe:2.3:a:the_qt_company:qt:*:*:android:*:*:*:*:*","versionStartIncluding":"6.10.0","versionEndIncluding":"6.10.1"},{"vulnerable":true,"criteria":"cpe:2.3:a:the_qt_company:qt:*:*:x86:*:*:*:*:*","versionStartIncluding":"6.10.0","versionEndIncluding":"6.10.1"},{"vulnerable":true,"criteria":"cpe:2.3:a:the_qt_company:qt:*:*:arm:*:*:*:*:*","versionStartIncluding":"6.10.0","versionEndIncluding":"6.10.1"},{"vulnerable":true,"criteria":"cpe:2.3:a:the_qt_company:qt:*:*:64_bit:*:*:*:*:*","versionStartIncluding":"6.10.0","versionEndIncluding":"6.10.1"},{"vulnerable":true,"criteria":"cpe:2.3:a:the_qt_company:qt:*:*:32_bit:*:*:*:*:*","versionStartIncluding":"6.10.0","versionEndIncluding":"6.10.1"}]}]}],"descriptions":[{"lang":"en","value":"Insufficient validation of node IDs in Qt SVG module allows arbitrary QML/JavaScript code injection when loading malicious SVG files through the VectorImage component in Qt Quick. While QML execution is typically more restricted than native code execution, this could still lead to denial of service, information disclosure, or other impacts depending on the application's privilege level and data access.","supportingMedia":[{"type":"text/html","base64":false,"value":"<p>Insufficient validation of node IDs in Qt SVG module allows arbitrary QML/JavaScript code injection when loading malicious SVG files through the VectorImage component in Qt Quick. While QML execution is typically more restricted than native code execution, this could still lead to denial of service, information disclosure, or other impacts depending on the application's privilege level and data access.</p>"}]}],"references":[{"url":"https://codereview.qt-project.org/c/qt/qtdeclarative/+/697273","name":"Qt Code Review - Fix for QTBUG-142556","tags":["patch"]}],"metrics":[{"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}],"cvssV4_0":{"attackVector":"LOCAL","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"PASSIVE","vulnConfidentialityImpact":"HIGH","subConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","subIntegrityImpact":"HIGH","vulnAvailabilityImpact":"HIGH","subAvailabilityImpact":"HIGH","exploitMaturity":"UNREPORTED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED","version":"4.0","baseSeverity":"HIGH","baseScore":7.4,"vectorString":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U"}}],"solutions":[{"lang":"en","value":"Update to Qt 6.8.7 or Qt 6.10.2 or later. As a temporary mitigation, validate and sanitize all SVG files before loading them with VectorImage, or only load SVG files from trusted sources.","supportingMedia":[{"type":"text/html","base64":false,"value":"<p>Update to Qt 6.8.7 or Qt 6.10.2 or later. As a temporary mitigation, validate and sanitize all SVG files before loading them with VectorImage, or only load SVG files from trusted sources.</p>"}]}],"credits":[{"lang":"en","value":"Qt Development Team","type":"finder"}],"source":{"discovery":"INTERNAL"},"x_generator":{"engine":"Vulnogram 0.1.0-dev"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-04-30T13:13:55.418329Z","id":"CVE-2025-14576","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-04-30T13:14:04.728Z"}},{"affected":[{"cpes":["cpe:/o:redhat:enterprise_linux_eus:10.0"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux AppStream EUS (v. 10.0)","vendor":"Red Hat"},{"cpes":["cpe:/o:redhat:enterprise_linux:10.2"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux AppStream (v. 10)","vendor":"Red Hat"},{"cpes":["cpe:/o:redhat:enterprise_linux_eus:10.0"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0)","vendor":"Red Hat"},{"cpes":["cpe:/o:redhat:enterprise_linux:10.2"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:hummingbird:1"],"defaultStatus":"affected","product":"Red Hat Hardened Images","vendor":"Red Hat"},{"cpes":["cpe:/o:redhat:enterprise_linux:10"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux 10","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:multicluster_globalhub"],"defaultStatus":"unaffected","product":"Multicluster Global Hub","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:acm:2"],"defaultStatus":"unaffected","product":"Red Hat Advanced Cluster Management for Kubernetes 2","vendor":"Red Hat"},{"cpes":["cpe:/o:redhat:enterprise_linux:6"],"defaultStatus":"unaffected","product":"Red Hat Enterprise Linux 6","vendor":"Red Hat"},{"cpes":["cpe:/o:redhat:enterprise_linux:7"],"defaultStatus":"unaffected","product":"Red Hat Enterprise Linux 7","vendor":"Red Hat"},{"cpes":["cpe:/o:redhat:enterprise_linux:8"],"defaultStatus":"unaffected","product":"Red Hat Enterprise Linux 8","vendor":"Red Hat"},{"cpes":["cpe:/o:redhat:enterprise_linux:9"],"defaultStatus":"unaffected","product":"Red Hat Enterprise Linux 9","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:openshift:4"],"defaultStatus":"unaffected","product":"Red Hat OpenShift Container Platform 4","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:openshift_gitops:1"],"defaultStatus":"unaffected","product":"Red Hat OpenShift GitOps","vendor":"Red Hat"}],"datePublic":"2026-04-30T12:39:40.067Z","descriptions":[{"lang":"en","value":"A flaw was found in the Qt SVG module and the VectorImage component in Qt Quick. This vulnerability allows a remote attacker to inject arbitrary QML/JavaScript code by tricking a user into loading a specially crafted malicious SVG file. Successful exploitation could lead to denial of service, information disclosure, or other impacts, depending on the application's privileges and data access."}],"metrics":[{"other":{"content":{"namespace":"https://access.redhat.com/security/updates/classification/","value":"Important"},"type":"Red Hat severity rating"}},{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"LOCAL","availabilityImpact":"HIGH","baseScore":7.8,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","version":"3.1"},"format":"CVSS"}],"problemTypes":[{"descriptions":[{"cweId":"CWE-94","description":"Improper Control of Generation of Code ('Code Injection')","lang":"en","type":"CWE"}]}],"references":[{"tags":["vdb-entry","x_refsource_REDHAT"],"url":"https://access.redhat.com/security/cve/CVE-2025-14576"},{"name":"RHBZ#2464114","tags":["issue-tracking","x_refsource_REDHAT"],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2464114"},{"tags":["x_sadp-csaf-vex"],"url":"https://security.access.redhat.com/data/csaf/v2/vex/2025/cve-2025-14576.json"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:24987"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:20567"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:7620"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:7846"}],"solutions":[{"lang":"en","value":"RHSA-2026:24987: Red Hat Enterprise Linux AppStream EUS (v. 10.0), Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0)"},{"lang":"en","value":"RHSA-2026:20567: Red Hat Enterprise Linux AppStream (v. 10), Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)"},{"lang":"en","value":"RHSA-2026:7620: Red Hat Hardened Images"},{"lang":"en","value":"RHSA-2026:7846: Red Hat Hardened Images"}],"timeline":[{"lang":"en","time":"2026-04-30T13:01:32.429Z","value":"Reported to Red Hat."},{"lang":"en","time":"2026-04-30T12:39:40.067Z","value":"Made public."}],"title":"qt: Qt SVG: Arbitrary QML/JavaScript code injection via malicious SVG file","x_adpType":"supplier","x_generator":{"engine":"sadp-cli 1.0.0"},"providerMetadata":{"orgId":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","shortName":"redhat-SADP","dateUpdated":"2026-06-30T12:07:23.863Z"}}]}}